LGPD
Lei Geral de Proteção de Dados — Law No. 13,709/2018. The primary applicable law governing all personal data processing by 33 Digital.
GDPR · LGPD · CCPA · PIPEDA · ISO 27001
PRIVACY POLICY
Personal data handled with accountability and international standards.
33 Digital is a Brazilian technology company operating under the LGPD and aligned with GDPR, CCPA and other international data protection frameworks. This policy is addressed to data subjects, institutional partners, investors and regulatory bodies worldwide.
TransparencyAccountabilityData minimizationYour rights
REGULATORY FRAMEWORK
Compliance grounded in the world's leading data protection standards.
33 Digital is incorporated in Brazil and subject to the Lei Geral de Proteção de Dados (LGPD — Law No. 13,709/2018). We voluntarily align our practices with international frameworks to ensure consistent protection for all data subjects, regardless of their country of residence.
GDPR
General Data Protection Regulation (EU) 2016/679. Our practices align with GDPR principles for data subjects located in the European Economic Area.
CCPA / CPRA
California Consumer Privacy Act and California Privacy Rights Act. California residents are entitled to the rights described in this policy and may exercise them at any time.
PIPEDA
Personal Information Protection and Electronic Documents Act. Canadian residents interacting with our services are covered by equivalent protections under this policy.
Last updated
January 2026. This policy is reviewed periodically. The effective date is always indicated on this page. Material changes will be communicated via the website.
Supervisory authority
The competent supervisory authority for LGPD matters is the Autoridade Nacional de Proteção de Dados (ANPD — gov.br/anpd). EU residents may also contact their local Data Protection Authority (DPA).
DATA WE COLLECT
We collect only what is necessary. Nothing more.
33 Digital applies the principle of data minimization. We do not operate advertising pixels, third-party tracking cookies or behavioral profiling systems. All data collected serves a specific, declared and lawful purpose.
Data you provide
Name, email address, phone number, company name, job title and any information voluntarily submitted through contact, assessment or partnership request forms.
Technical server data
Basic information automatically recorded by the hosting infrastructure for security, uptime monitoring and abuse prevention. This includes IP addresses and request timestamps.
Visual preference
The color theme you select may be stored in your browser via localStorage. This data never leaves your device and is not used for identification, advertising or analytics.
Analytics and cookies
No analytics tools, advertising pixels or first-party cookies are currently active on this site. If activated in the future, a specific notice will be published prior to deployment.
We collect: only data voluntarily provided by you or technically required for the secure operation of this website.
We do not collect: sensitive categories of data (health, biometric, racial or ethnic origin, political opinions, religious beliefs) unless explicitly required and consented to for a specific service.
PROCESSING AND LEGAL BASIS
Every processing activity has a declared purpose and a lawful basis.
We do not process personal data for purposes incompatible with those stated at the time of collection. The legal bases applied are consent, legitimate interest and compliance with legal obligations, as defined under LGPD Art. 7 and GDPR Art. 6.
Responding to requests
Processing contact, assessment and partnership submissions to provide timely and relevant responses. Legal basis: consent and legitimate interest.
Strategic fit analysis
Evaluating alignment between your project or organization and 33 Digital's capabilities before any proposal or engagement. Legal basis: consent.
Service improvement
Improving website functionality and user experience based on aggregated, non-identifiable usage patterns. Legal basis: legitimate interest.
Legal compliance
Meeting regulatory, fiscal or judicial obligations under applicable Brazilian and international law. Legal basis: legal obligation.
Retention period
Data is retained only for as long as necessary to fulfill the declared purpose or comply with legal obligations. Upon expiry, data is securely deleted or anonymized.
No commercial use
Personal data is never sold, rented, licensed or shared with third parties for commercial, advertising or profiling purposes. This applies unconditionally.
Privacy is not a compliance checkbox. It is part of the architecture.
SHARING AND INTERNATIONAL TRANSFERS
Controlled access. No cross-border transfers without adequate safeguards.
Access to personal data is strictly limited. When infrastructure providers process data outside Brazil, we ensure equivalent protection standards are contractually guaranteed.
Internal team only
Only 33 Digital team members with a direct operational need to respond to or evaluate your request have access to submitted data.
Essential service providers
Hosting, email and infrastructure providers operating under strict data processing agreements (DPAs) with access limited to what is technically necessary.
Legal disclosure
Competent authorities when required by a duly substantiated legal order, judicial decision or regulatory requirement under applicable law.
Cross-border safeguards
When data is processed by infrastructure with servers outside Brazil, we apply Standard Contractual Clauses (SCCs) or equivalent mechanisms aligned with GDPR Chapter V and LGPD Art. 33.
Security measures: technical and organizational controls including access management, encryption in transit, and incident response procedures aligned with ISO/IEC 27001 principles.
Data breach notification: in the event of a personal data breach posing risk to data subjects, 33 Digital will notify the ANPD and affected individuals within the timeframes required by applicable law.
YOUR RIGHTS AS A DATA SUBJECT
Comprehensive rights recognized under LGPD, GDPR, CCPA and PIPEDA.
Regardless of your country of residence, 33 Digital recognizes and facilitates the exercise of the following rights. Requests are processed within 15 business days. No fees are charged for standard requests.
Access & confirmation
Request confirmation of whether your personal data is being processed and obtain a copy of the information we hold about you. (LGPD Art. 18 · GDPR Art. 15 · CCPA § 1798.100)
Rectification
Request correction of inaccurate, incomplete or outdated personal data. (LGPD Art. 18 · GDPR Art. 16)
Erasure
Request deletion of personal data processed on the basis of consent, subject to legal retention obligations. (LGPD Art. 18 · GDPR Art. 17 · CCPA § 1798.105)
Portability
Receive your data in a structured, machine-readable format for transfer to another controller, where technically feasible. (LGPD Art. 18 · GDPR Art. 20)
Withdrawal of consent
Revoke consent at any time without affecting the lawfulness of processing carried out prior to withdrawal. (LGPD Art. 8 · GDPR Art. 7(3))
Objection
Object to processing based on legitimate interest where there is non-compliance with applicable law. (LGPD Art. 18 · GDPR Art. 21)
Restriction
Request restriction of processing in specific circumstances, such as while accuracy is contested or an objection is pending. (GDPR Art. 18)
Non-discrimination
Exercise any of these rights without being subject to discriminatory treatment, denial of service or retaliation. (CCPA § 1798.125 · LGPD Art. 6)
How to exercise your rights
Submit your request to contato@33digital.com.br with the subject line "Data Subject Request". We will respond within 15 business days and may request identity verification to protect your data.
Supervisory authorities
You may also lodge a complaint with the ANPD (Brazil), your national Data Protection Authority (EU/EEA), the California Privacy Protection Agency (CPPA), or the Office of the Privacy Commissioner of Canada (OPC).
DATA PROTECTION OFFICER (DPO)
Questions about this policy? Contact our Data Protection Officer directly.
33 Digital has designated a Data Protection Officer responsible for overseeing compliance with this policy and applicable data protection law. The DPO is the primary point of contact for data subjects, institutional partners, regulatory bodies and supervisory authorities.
LGPD
GDPR
CCPA
PIPEDA
ISO 27001